Security researchers have reportedly identified a severe design flaw inside a Microsoft Exchange email server feature, which can be misused to capture Windows domain as well as app credentials from users all over the world.
Amit Serper, Area VP, Guardicore, a prominent security firm, discovered the flaw in the Microsoft Autodiscover protocol, which is a Exchange email servers feature that enables email clients to automatically find email servers, give credentials, and then get correct settings.
The protocol is an important component of Exchange email servers since it gives administrators a simple way to ensure that clients are using the correct IMAP, LDAP, SMTP, WebDAV, and other settings.
Serper stated that he discovered that the Exchange’s auto discovery mechanism uses a “back-off” procedure when it fails to find its Autodiscover endpoint of the Exchange server on first try.
According to Serper, this "back-off" procedure is the source of the leak because it is always attempting to resolve the domain's autodiscover component and will always try to "fail up". That means that the next attempt to create an autodiscover URL, will be: http://autodiscover.com/autodiscover/autodiscover.xml. That implies that whoever owns autodiscover.com will get all requests that are unable to reach the original domain.
Serper claimed he registered a number of Autodiscover-based top-level domains that were still available online. This includes Autodiscover.com.br for Brazil, Autodiscover.com.cn for China, Autodiscover.com.co for Columbia, Autodiscover.es for Spain, Autodiscover.fr for France, and many others.
According to the researcher, Guardicore used honeypots on these servers to determine the scope of the problem.
Serper added that for more than four months, between 16th of April 2021, and 25th of August 2021, these servers got hundreds of requests, with thousands of credentials, from Microsoft Exchange users attempting to set up their email clients but unable to identify their employer's correct Autodiscover endpoint.
As per reports, Guardicore has captured over 96,671 unique credentials and 372,072 Windows domain credentials from various Microsoft applications like Microsoft Outlook.